top of page

CruSec’s 2019 CISSP Study Guide - Domain 1: Security and Risk Management

Domain 1: Security and Risk Management

1.1 Understand and apply concepts of confidentiality, integrity and availability

  • CIA Triad –

  • Confidentiality – Resources are restricted from unauthorized subjects. Data must be protected in storage, process and transit. Unauthorized disclosure can result from human error.

  • Integrity – Assures data has not been modified/tampered with

  • Prevents unauthorized subjects from making modifications

  • Prevent authorized subjects from making mistakes

  • Example includes Enron, where senior management were modifying accounting data to fool investors, resulting in the creation of SOx

  • Availability – services are available when needed by authorized subjects. Cyber threats target Availability more frequently than Confidentiality or Integrity.

  • Opposite of CIA is DAD – disclosure, alteration and destruction

1.2 Evaluate and apply security governance principles

  • Security Governance Principles – goal is to maintain business processes. IT security goals support the business goals (compliance, guidelines, etc). You shouldn’t be looking for the best technical answer, but the answer that best supports the business.

  • Top-Down approach is ideal. Upper management should always be involved. If you see anything referring to a bottom-up approach, it’s wrong.

  • Understand the difference between subjects and objects

  • Subjects – active entity on a system. Normally people. Programs can be subjects as well, such as a script updating files

  • Object – passive data on a system

  • SUBJECTS DO STUFF TO OBJECTS. Do not be thrown off – an application actively running in memory is a subject. If it’s not running, it is an object

  • Frameworks help avoid building IT security in a vacuum or without considering important concepts

  • Can be regulations, non-regulation, industry-specific, national, international

  • COBIT is an example. Set of best practices from ISACA. Five key principles. Focuses on WHAT you’re trying to achieve. Also serves as a guideline for auditors:

  • Principle 1 – Meeting Stakeholder needs

  • Principle 2 – Covering the enterprise end-to-end

  • Principle 3 – Applying a single, integrated framework

  • Principle 4 – Enabling a holistic approach

  • Principle 5 – Separating governance from management

  • ITIL is the de facto standard for IT service management. How you’re trying to achieve something

  • ISO 27000 series. Started as a British standard.

  • 27005 refers to risk management

  • 27799 refers to personal health info (PHI)

  • OCTAVE – self directed risk assessments

  • Liability

  • Senior leadership is always ultimately liable

  • That does not mean you are not liable as well; you may be, and that depends on Due Care

  • Auditing is a form of due care

  • Due Diligence vs Due Care

  • Due Diligence – the thought, planning or research put into the security architecture of your organization. This would also include developing best practices and common protection mechanisms, and researching new systems before implementing them

  • Due Care – is an action. It follows the Prudent Person Rule which begs the question “what would a prudent person do in this situation?” This includes patching systems, fixing issues, reporting, etc in a timely fashion.

  • Negligence is the opposite of due care. If you did not perform due care to ensure a control isn’t compromised, you are liable

1.3 Determine compliance requirements

  • Important Laws/Regulations:

  • SOX – response to ENRON scandal. Compliance mandates for publicly traded companies and ensures financial disclosure. Failure to comply can lead to stiff fines and jail time for executives

  • HIPAA – seeks to guard Protected Health Info (PHI). Applies to “covered entities” (healthcare providers, health plans, clearinghouses).

  • HITECH Act of 2009 makes HIPAA’s provisions apply to business associates of covered entities (lawyers, accountants, etc)

  • Any PII associated with healthcare is Personal Health Info (PHI)

  • GLBA – forces financial institutions to protect customer financial info. Must notify customers of breaches

  • Computer Fraud and Abuse Act (CFAA) – protects government computers used for interstate commerce. It’s a crime to exceed your authorization to use such a computer

  • There are six types of computer crimes (not necessarily defined by CFAA. Need to know the motives, which are obvious based on the name of the attack):

  • Military/intelligence

  • Business

  • Financial

  • Terrorist

  • Grudge

  • Thrill

  • Federal Privacy Act

  • Electronic Communications Privacy Act (ECPA) – protected against warrantless wiretapping

  • Patriot Act of 2001 expanded law enforcement electronic monitoring capabilities.

  • Communications Assistance to Law Enforcement Act (CALEA) requires all communications carriers to make wiretaps possible for law enforcement with an appropriate court order.

  • PCI DSS – not a law. Self-regulation by major vendors. Mandates controls to protect cardholder data.

  • Computer Security Act – required US federal agencies to ID computers that contain sensitive info. They must then develop security policies for each system and conduct training for individuals involved with those systems.

  • California Senate Bill 1386 – one of the first US state-level laws related to breach notification. Required organizations experiencing data breaches to inform customers

1.4 Understand legal and regulatory issues that pertain to information security in a global context

  • EU Data Protection Directive – very pro privacy. Organizations must notify individuals regarding how their data is gathered and used. Must allow an opt-out option for sharing with 3rd parties. Opt-In is required for “most sensitive” data. Transmission of data outside of EU is not allowed unless recipients have equal privacy protections. US does NOT meet this standard. Safe Harbor is an optional agreement between the organization and the EU, where the organization must voluntarily consent to data privacy principles that are consistent with this.

  • EU Court of Justice overturned the Safe Harbor agreement in 2015. In 2016 the EU Commission and US Department of Commerce established the EU-US Privacy Shield, a new legal framework for transatlantic data transmission which replaced Safe Harbor

  • General Data Protection Regulation – went into effect in 2018 which replaced the above restrictions.

  • Applies to all organizations worldwide that offer services to EU customers

  • Extends concept of PII to photos/videos/social media posts, financial transactions, location data, browsing history, login credentials, and device identifiers

  • Data collection, retention and sharing must be minimized exclusively for the intended purpose.

  • Data breach requires notification within 72 hours of discovery

  • Organizations that deal with personal data on a large scale must appoint a Data Protection Officer to their boards

  • Focus of controls are on encryption and pseudonymization, which is the process of replacing some data elements with pseudonyms and makes it more difficult to identify individuals.

  • Wassenaar Arrangement – export/import controls for conventional arms and dual-use goods and technologies. Cryptography is considered “dual use” This includes countries like Iran, Iraq, China and Russia who want to spy on their citizens, and so they don’t import overly strong cryptography technologies. US is not included in this. Companies like Google have to make country-specific technology because of this

  • Digital Millenium Copyright Act of 1998 - prohibits the circumvention of copy protection mechanisms placed in digital media, and relieves ISP of liability for activities of users

  • Intellectual Property Protections:

  • Trademark – names, slogans and logos that identify a company/product. Cannot be confusingly similar to any trademarks. They are good for 10 years, but can be renewed indefinitely.

  • Patent – Has to be registered with the US Patent office, which is public information. Many companies avoid this, such as 3M. A patent is good for 20 years, and is considered the shortest of all intellectual property protections.

  • Copyright – Creative content such as songs, book and software code. It requires disclosure of the product and expires 70 years after the death of the author.

  • Licenses – End-User License Agreement (EULA) is a good example

  • Trade Secrets – KFC’s special seasoning, coca-cola’s formula,, etc. Protected by NDAs (non-disclosure agreement) and NCAs (non-compete agreements). These are the best options for organizations that do not want to disclose any information about their products. Trade Secrets have no expiration.

  • Intellectual Property Attacks:

  • Software piracy

  • Copyright infringement

  • Corporate espionage – when competitors attempt to ex-filtrate information from a company, often using an employee.

  • Economic Espionage Act of 1996 – provides penalties for individuals found guilty of the theft of trade secrets. Harsher penalties if the offender is attempting to aid foreign governements.

  • Typo squatting

  • Digital Rights Management is any solution that allows content owners to enforce any of the above restrictions on music, movies, etc

1.5 Understand, adhere to, and promote professional ethics

  • ISC2 Code of Ethics (RFC 1087)

  • Canons:

  • Protect society, the commonwealth and the infrastructure

  • Act honorably, honestly,, justly, responsibly and legally

  • Provide diligent and competent service to principals

  • Advance and protect the profession

  • Be familiar with the order of the canons which are applied in order. If there is any ethical dilemma, you must follow the order. Protecting society is more important than protecting the profession,, for example.

1.6 Develop, document, and implement security policy, standards, procedures and guidelines

  • Security Policies - These are the highest level and are mandatory. Everything about an organization’s security posture will be based around this. Specifyies auditing/compliance requirements and acceptable risk levels. Used as proof that senior management has exercised due care. Mandatory that it is followed.

  • Wouldn’t use terms like Linux or Windows. That’s too low level. It would refer to these things as “systems”

  • Should be reviewed yearly or after major business changes, and dated with version number

  • Very non-technical

  • Standards – mandatory actions and rules. Describes specific technologies.

  • Baselines – represents a minimum level of security. Often refer to industry standards like TCSEC and NIST

  • Somewhat discretionary in the sense that security can be greater than your baseline, but doesn’t need to be.

  • Guidelines – Simply guide the implementation of the security policy and standard. These are not mandatory.

  • Procedures – very detailed step-by-step instructions. These are mandatory. Specific to system and software. Must be updated as hardware and software evolves.

1.7 Identify, analyze and prioritize Business Continuity requirements

  • Organizational plans:

  • Strategic Plan – Long term (5 years). Goals and visions for the future. Risk assessments fall under this

  • Tactical Plan – useful for about a year. Projects, hiring, budget etc

  • Operational Plan – short term (month or quarter). Highly detailed, more step-by step.

1.8 Contribute to and enforce personnel security policies and procedures

1.9 Understand and apply risk management concepts

  • NIST Risk Management Framework

  • Businesses don’t care about information security, they care about business. Security is concerned with managing the risks to a business

  • Risk Management Concepts:

  • Risk = Threat x Vulnerability

  • Assets – valuable resources to protect. People are always the most important assets

  • Vulnerability – a weakness

  • Threat - potentially harmful occurrence

  • Impact takes into account the damage in terms of dollar amounts. Human life is considered infinite impact.

  • Risk Analysis Types:

  • Risk analysis types:

  • Quantitative – uses hard metrics, like dollars. Normally done to know where to focus qualitative analysis. Primary focus is determining what takes priority.

  • How likely is this to happen, and how bad would it be?

  • EF and ARO will typically be described as a percentage. If a laptop is lost or stolen, the EF would be 100%. But it’s possible for a fire to damage only 25% of a warehouse. Likewise, a flood may only be anticipated once in every 100 years, making the ARO .01 or 1%

  • Steps in Qualitative Analysis

  • Determine worth of an asset, including how much money it generates, value to competitors, legal liabilities, etc. Assign a dollar amount value

  • Asset Value (AV)

  • Evaluate loss potential caused by an instance of damage. You will determine your Exposure Factor and then calculate your SLE by multiplying the AV by EF (SLE = AV x EF)

  • Physical damage

  • Loss of productivity

  • Determine the likelihood of an incident occurring. Here we will be calculating the ARO.

  • Derived from historical data, statistical data, etc

  • Quick ARO Cheat Sheet:

  • 1-in-4 = .25

  • 1-in-10 = .1

  • 1-in-20 = .05

  • 1-in-50 = .02

  • 1-in-200 = .005

  • 1-in-500 = .002

  • Determine the ALE by multiplying SLE by ARO (ALE = SLE x ARO), OR (ALE = AV x EF x ARO)

  • Determine course of action:

  • Reduce risk – use controls to mitigate risk and reduce ARO or EF

  • Transfer/Assign risk – often done by purchasing insurance. You’d have to calculate if it makes sense financially. Could also mean outsourcing to a third party.

  • Avoid risk – very simply avoiding whatever would be introducing the risk

  • Accept risk – Usually done if an asset costs less than any controls required to protect it (See Safeguard Evaluation). Should be documented reasoning for accepting risk. All other options should be considered beforehand.

  • Risk left over after applying countermeasures is Residual Risk. Total Risk is the risk a company faces if they accept risk. The difference between the two is Control Gap.

  • Total risk – controls gap = residual risk

  • TCO – total cost of ownership of countermeasures. If TCO is lower than ALE, you have a positive Return on Investment (ROI)

  • Qualitative Analysis

  • Uses more approximate values or measurements, such as HIGH/MED/LOW

  • Based more on softer metrics such as opinions, rather than numbers and historical data

  • Qualitative techniques and methods include brainstorming, focus groups, checklists, Delphi Technique, etc.

  • Delphi Technique – anonymous surveys. Issuer can’t see identity of who made statements

  • Safeguard Evaluation:

  • ALE (before safeguard) – ALE (after implementing safeguard) – annual cost of safeguard = value to the company

  • The value should not be negative. If it is, the cost of protecting an asset is more than the asset itself.

1.10 Understand and apply threat modeling concepts and methodologies

  • Threat Modeling is where potential threats are identified, categorized and analyzed. Includes frameworks like STRIDE and DREAD

  • Microsoft STRIDE Threat Categorization:

  • Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of privilege


  • Damage – how bad is the attack?

  • Reproducibility – how easy to reproduce attack?

  • Exploitability – how hard to launch attack?

  • Affected users – how many people would be affected?

  • Discoverability – how easy to find the threat?

  • Types of attackers

  • Hacker - Black, White, and Gray

  • Outsiders – make uo 48-62% of attackers

  • Means 28-52% of attackers are internal, either maliciously or unintentionally

  • Script Kiddies – little or no coding knowledge, but have knowledge or access to hacking tools. Just as dangerous as skilled hackers.

  • Hacktivists – socially motivated, political motivation. Include organizations like Anonymous who are known for DDoS-ing Visa, Mastercard and PayPal to protest the arrest of Julian Assange. Often aim to assure free speech, etc

  • State-Sponsored Hackers – often see attacks occurring during normal work hours. Essentially a day job. 120 countries have been using internet as a weapon. Include attacks like Sony (N. Korea), Stuxnet (US/Israel), etc

  • Bots/Botnets

Network Attacks

  • Malware propagates through four main techniques:

  • File infection

  • Service injection

  • Boot sector infection

  • Macro infection

  • Anti-malware detects foul play primarily through signatures and heuristic-based methods

  • LOKI – ICMP traffic with commands hidden in it. Not so effective in 2019

  • Smurf Attack – Type of DDoS attack. ICMP packets with spoofed IP. The responses are all redirected to the victim

  • Fraggle Attack – Similar to Smurf attack, but uses UDP.

  • SYN Flood - succession of TCP SYN requests without ever completing the 3 way handshake. Goal is to consume all a server’s available memory.

  • LAND Attack – packet with the same source and destination address

  • Tear Drop – overlapping fragments, causing OS to get confused and crash.

  • Patch OS

  • Use a firewall that does fragment re-assembly

  • Replay Attack – traffic is intercepted in a MITM attack, and resubmitted at a later time. Time stamping messages is a simple countermeasure.

1.11 Apply risk-based management concepts to the supply chain

  • Supply Chain – US Trusted Foundry ensures that companies that produce and supply hardware are themselves secure


Featured Posts
Recent Posts
bottom of page